This project provides a setup to scan artifact repositories like Nexus or Artifactory and identify Maven projects which declare dependencies to log4j.
|
Note
|
As a pre-condition the repositories must provide an index. This can be activated in the administration of the repository manager. |
mvn verify -Drepo.url=http://host:8080/nexus/content/repositories/my-repo -Drepo.filter=com.my-company.*:*:*"
The property repo.url should point to a hosted repository or repository group which contains the artifacts.
The additional (but recommended) property repo.filter takes a comma separated list of Maven artifact patterns and allows filtering (usually the groupId of the organization).
The scan will take some time, analysis is executed directly after the scan has finished.
Two CSV reports are created in the folder target/jqassistant/report/csv:
-
log4j-repository-analysis_DirectLog4jDependencies: Projects declaring a direct dependency to Log4j artifacts. -
log4j-repository-analysis_TransitiveLog4jDependencies: Deployable artifacts (WAR, EAR, Spring Boot fat JAR and JAR files with a main class declaration) having a direct or indirect dependency to Log4j core 2.x.
|
Tip
|
The reports are created from Cypher queries and implemented as jQAssistant rules which are located in jqassistant/log4j-repository-analysis.xml. |
|
Tip
|
Incremental scans and analysis are supported. Therefore the folders containing the database and downloaded Maven artifacts data have been moved from the default folder target/jqassistant to data.
Depending on the size of the analyzed repository this folder might require large amounts of disk space.
|
-
Depending on the size of the repository the scan will take time (to be counted in hours).
-
The executed queries might be expensive as well. If an OutOfMemoryError is reported during analysis then the heap size for Maven should be set using the environment variable
MAVEN_OPTS=-Xmx16G. -
If the scan aborts right after startup with a message
[WARNING] Cannot scan item https://…; java.io.FileNotFoundException: Resource nexus-maven-repository-index.properties does not existthen there’s no index available for the repository and must be activated. The presence of an index can be verified by checking existence of a folder named.indexin the root directory of the repository, e.g.https://repo1.maven.org/maven2/.index/. -
In case the repository requires user authentication the credentials can be passed within the URL, e.g.
-Drepo.url=http://user:password@host:8080/nexus/content/repositories/my-repo -
For repository URLs using HTTPS and self-signed certificates it will be necessary to import the certificate into the keystore of the used Java Runtime Environment (not verified):
$JAVA_HOME/bin/keytool -import -alias NEXUS -file nexus.crt -keystore $JAVA_HOME/lib/security/cacertsTipThe certificate can be exported directly from a web browser (e.g. as DER encoded-binary X509), the default passwort of the JRE keystore is changeit. -
The project provides an optional setup for spinning up a Neo4j container using
docker-compose up. Scan and analysis can be configured to use this by either providing the system property-Dstore.uri=bolt://localhost:7867on the command line or uncommenting the store-uri section in the filepom.xml.